SAML2 Metadata Exchange & Tagging

Similar documents
Request for Comments: ISSN: S. Cantor Shibboleth Consortium August 2018

Some Notes on Metadata Interchange

Federated Access Management Futures

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Some Notes on Metadata Interchange

edugain Policy Framework SAML Profile

Single Logout with the SWITCH edu-id IdP

National Identity Exchange Federation. Terminology Reference. Version 1.0

IdP User Consent. Part 1: Overview of user consent in IdP version 3 Part 2: Technical bits. Transparency for attribute release

SAML Metadata Signing gpolicy and Aggregation Practice Statement

REFEDS Minutes, 22 April 2012

How to Survive the Zombie Apocalypse

Géant-TrustBroker Dynamic inter-federation identity management

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Federation Operator Practice: Metadata Registration Practice Statement

BELNET R&E federation Technical policy

Federation Operator Practice: Metadata Registration Practice Statement

Géant-TrustBroker: Dynamic, Scalable Management of SAML-Based Inter-federation Authentication and Authorization Infrastructures

Directories Services and Single Sign-On for Collaboration

Géant-TrustBroker Project Overview

Federation Operator Practice: Metadata Registration Practice Statement

Canadian Access Federation: Trust Assertion Document (TAD)

Federated Authentication with Web Services Clients

Liberty Alliance Project

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAML-Based SSO Solution

Internet Engineering Task Force (IETF) Request for Comments: 6711 Category: Informational August 2012 ISSN:

SWITCHaai Service Description

Security Assertions Markup Language (SAML)

Canadian Access Federation: Trust Assertion Document (TAD)

Auto-Connect via Dynamic Federation

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Federation Metadata Document Structure Proposal

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

SAML Protocols -- draft-sstc-protocols-00 Core Assertions & Protocols Subgroup, OASIS Security Services Technical Committee (SSTC) 10-Apr-2001

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

SAML-Based SSO Solution

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Morningstar ByAllAccounts SAML Connectivity Guide

Authentication. Katarina

REFEDS Year End Report 2015

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

GÉANT-TrustBroker project overview

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Sirtfi for Security Incidents in a Federated Context. Tom Barton, UChicago & Internet2

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

Canadian Access Federation: Trust Assertion Document (TAD)

Federation Technical Specifications

Have a question? Speak with a member of our team on

Electronic ID at work: issues and perspective

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

SAML 2.0 Profile. Trusted Digital Identity Framework August 2018, version 1.0

Canadian Access Federation: Trust Assertion Document (TAD)

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Canadian Access Federation: Trust Assertion Document (TAD)

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

Chapter 17 Web Services Additional Topics

Canadian Access Federation: Trust Assertion Document (TAD)

GrIDP: Grid IDentity Pool Federation

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

eidas cross-sector interoperability

Canadian Access Federation: Trust Assertion Document (TAD)

Federated Identification Architecture

SAML V2.0 Deployment Profiles for X.509 Subjects

eidas Regulation eid and assurance levels Outcome of eias study

Attribute Release Update

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

SAML V2.0 Implementation Pro le for Federation Interoperability

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

EGI AAI Platform Architecture and Roadmap

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

SLCS and VASH Service Interoperability of Shibboleth and glite

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Tax News Update: Global Edition (GTNU) User Guide

Canadian Access Federation: Trust Assertion Document (TAD)

Federated Identity Management

Federated Identity Management

Jisc Assent Service Technical Specification

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Introducing Shibboleth. Sebastian Rieger

Canadian Access Federation: Trust Assertion Document (TAD)

WP JRA1: Architectures for an integrated and interoperable AAI

Simplifying Federation Management with the Federation Router

Juliusz Pukacki OGF25 - Grid technologies in e-health Catania, 2-6 March 2009

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

The AAF - Supporting Greener Collaboration

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

OASIS Electronic Trial Master File Standard Technical Committee

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

Canadian Access Federation: Trust Assertion Document (TAD)

Next-Generation Identity Federations. Andreas Åkre Solberg

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

What happens...when a current affiliation ends?

Transcription:

SAML2 Metadata Exchange & Tagging TNC 2009 Malaga, 10. June 2009 Thomas Lenggenhager thomas.lenggenhager@switch.ch

Overview 1 What s the Problem? 2 Scalable Metadata Exchange 3 Metadata Tagging 4 Summary 2

What s the Problem? The fact More and more national Identity Federations based on SAML The problem How to establish Schengen for Identity Federations? Borders still exist, but they are no longer barriers Focus on two technical topics which should finally ease Inter-Federation Scalable Metadata Exchange Metadata Tagging 3

Credits All the following is primarily based on the work and feedback of Chad La Joie, SWITCH & Internet2 Ian A. Young, SDSS Leif Johansson, Stockholm University Scott Cantor, The Ohio State University & Internet2 &many more from GÉANT2 JRA5 and elsewhere Its all work in progress 4

Credits All the following is primarily based on the work and feedback of Chad La Joie, SWITCH & Internet2 Ian A. Young, SDSS Leif Johansson, Stockholm University Scott Cantor, The Ohio State University & Internet2 &many more from GÉANT2 JRA5 and elsewhere Its all work in progress and all errors are mine 5

Scalable Metadata Exchange Federations grow Metadata files grow Inter-Federation Single Metadata file unmanageable Direct SAML2 based end-to-end communication should be maintained Idea: Each entity needs just the set of metadata of its communication partners See also: Interfederation and Metadata Exchange: Concepts and Methods http://www.iay.org.uk/blog/2009/05/concepts_and_me.html 6

Federation Metadata today 7

Federation Metadata today (2) 8

Federation Metadata today (2) Register Metadata Publish Metadata Pull from Publisher 9

What is the role of Federations? A Federation offers a set of services Legal and/or policy framework Supports trust Technical recommendations or standards to deploy Eases interoperability Metadata management Provide tools & support A Federation provides some scalability for m IdPs and n SPs only m+n relationships with the Federation Provider instead of up to m*n direct relationships 10

Federations are Trust Brokers Distinguish two kinds of trust Technical Trust Trustworthy entity metadata Assures secure communication between the entities Behavioural Trust Requires proper technical trust as basis Comprises what is settled by contract or policy e.g. quality of Identity Management Correctness of attribute values asserted 11

Crossing the Federation Borders Technical Trust for Inter-Federation Introduce a Metadata Layer for trustworthy access to entity metadata Metadata Aggregator aggregates metadata from metadata publishers Process to be documented in an Aggregation Practice Statement optionally accepts entity registrations Process to be documented in a Registration Practice Statement publishes metadata for consumers Entities register their own metadata with an Metadata Aggregator consume their metadata entity collection from a Metadata Aggregator 12

Metadata Aggregation A Federation Provider is a Metadata Aggregator 13

Metadata Aggregation Register Metadata Pull from Publisher Publish Metadata A Federation Provider is a Metadata Aggregator 14

Metadata Layer Scalability through a mesh of Metadata Aggregators Entities to choose their preferred Metadata Publisher, matching their needs 15

Metadata Layer REST = Representational State Transfer simple RESTful retrieval protocol (in draft) Scalability through a mesh of Metadata Aggregators Entities to choose their preferred Metadata Publisher, matching their needs 16

Components of an Aggregator Metadata Registrar Register metadata from client entities Metadata Subscription Fetch metadata from other aggregators Transform metadata Filter entities on suitable criteria Merge metadata Publish metadata universally Locally registered metadata which want to inter-federate to client entities and selected aggregators Specific entity-collections - filtered sets of entities 17

Metadata Tagging Why to tag entities in metadata? Describe the entity in a way suitable for filtering Third party asserts that an entity meets some qualification Tags in use by the UK federation Use XML extension mechanism for not breaking metadata interoperability Scott Cantor submitted a proposal for introducing Entity Attributes suitable as tags for entities in metadata For all details see the spec at OASIS, currently Committee Draft 01: SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 http://docs.oasis-open.org/security/saml/post2.0/sstc-metadata-attr.html 18

EntityAttributes: What is it? The <mdattr:entityattributes> element is a wrapper for one or more <saml:attribute> or <saml:assertion> elements. Assertions MUST conform to the assertion profile and will contain only attribute statements. Assertion profile: The value of the <saml:nameid> MUST correspond to the entityid of the enclosing <md:entitydescriptor> element. ( ) Relying parties MUST process assertions in accordance with the standard processing rules in [SAML2Core]. If the EntityAttributes element is used within the <md:extensions> element of an <md:entitydescriptor> element, then it binds the enclosed SAML attributes (or the attributes within the enclosed assertions) to the enclosing entity. ( ) 19

Tagging Entities with Entity Attributes To become useful, appropriate attributes for describing entities have to be defined A job for the federations and the bodies coordinating inter-federation Assertion for an entity by a third party An example: Organisation X asserts with a signed assertion in an Entity Attribute that entity Y was successfully audited according to a defined policy. Asserting parties have to define a policy based on which it decides whether an entity is entitled for this assertion. The reputation of such an assertion will decide on its usefulness. Is metadata filtered using this criteria accepted by entities? 20

Summary Scalable Technical Trust can be achieved by Aggregators Metadata Aggregators form the Metadata Layer, enabling scalable metadata exchange Scalable Behavioural Trust can be supported by defining policies which gain wide acceptance Express adherence to a certain policy with an asserted tag Metadata Tagging allows effective entity filtering Now we have to trial it and work on the details! 21

Questions? Q & A http://www.switch.ch/aai aai@switch.ch 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback